contour icon indicating copy to clipboard operation
contour copied to clipboard

Published 20 hours ago verified publisher icon projectcontour

Support standard Forwarded header

Open PSanetra opened this issue 7 months ago • 4 comments

As far as I can see the ingess controller currently just supports the "non-standard" X-Forwarded-* headers. It would be nice to support also the standard Forwarded header.

Use case Keycloak has added support for the Forwarded header with version 21.0.0 and advices reverse-proxies to override this header.

Support in the nginx ingress controller is currently added, too: https://github.com/kubernetes/ingress-nginx/pull/10322

PSanetra avatar Nov 29 '23 11:11 PSanetra

Hey @PSanetra! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

github-actions[bot] avatar Nov 29 '23 11:11 github-actions[bot]

I think this would rather be a request for Envoy as also the existing X-forwarded-* logic is implemented there.

With a quick glance at the proposed NGINX approach, it seems to use configuration approach, with some limitations mentioned in the warning of the wiki article.

I think proper parsing would rather be done in C++ in Envoy.

As pointer for those who are looking for the workaround: overriding the header can be done using request rewriting: (1) use httpproxy.spec.routes.requestHeadersPolicy.remove to remove Forwarded header, or alternatively, maybe attempt to trivially (2) use requestHeadersPolicy.set to set the header to for=%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT% (link)

Coincidentally , I've written an issue for Keycloak https://github.com/keycloak/keycloak/issues/23431 😅

tsaarni avatar Nov 29 '23 12:11 tsaarni

Thank you @tsaarni for that suggestion!

I think I will set that header in the bitnami Helm chart globally like this:

configInline:
  policy:
    applyToIngress: true
    request-headers:
      set:
        Forwarded: "for=%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%;host=%REQ(Host)%;proto=%PROTOCOL%"

PSanetra avatar Nov 30 '23 10:11 PSanetra

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

github-actions[bot] avatar Feb 06 '24 00:02 github-actions[bot]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

github-actions[bot] avatar Mar 12 '24 00:03 github-actions[bot]